The vicious cycle of imbalance between cyber attackers and defenders seems never-ending. Defenders continue to develop and implement new tools to prevent, detect, monitor and remediate cyber threats while attackers simultaneously develop new attack techniques to thwart defenses, which for all intents and purposes gives them the upper hand.
But a new concept, originally conceived by DHS.gov, is creating a new paradigm in cyber defense that can for the first time potentially shift the power to the defenders for good. Known as Moving Target Defense (MTD), this concept creates confusion for bad actors by introducing a dynamic, constantly evolving attack surface across multiple system dimensions to increase uncertainty and complicate attacks. Ultimately, hackers cannot hit what they cannot see.
MTD can be implemented in different ways, including via dynamic runtime platforms and dynamic application code and data. However, it is through the deployment of decoys, such as false endpoints, servers and IoT devices – to misdirect attackers at the network, host or application layer of a tech stack - that security teams benefit from most. Such distractions create a constantly changing environment, prompting attackers to question if the vulnerabilities they find are real or fake, if systems are real or a decoy and if the layout of a network is genuine.
Why now is the time to implement Moving Target Defense
For some CISOs and security managers, implementing MTD may sound like an enticing proposition, but envisioning the transformation can be somewhat mind boggling and makes them hesitate. It’s important to acknowledge that polymorphism has been weaponized by malware authors against us for years. But with recently developed techniques, the right pro-active defense is available. Here are three ways that implementing MTD now can help your organization reduce risk.
- It levels the playing field between attackers and defenders. The single biggest benefit of implementing MTD is that defenders make themselves difficult targets for attackers to spot, regardless of the type of application layer. In the network layer, for example, if an attacker doesn’t know what IP address to target because it constantly shifts, then they cannot easily identify attack locations that they wish to target from device-to-device. By creating a decoy software layer that makes it easy for the defender to move around, the costs of an attacker attempting to chase a defender are driven up, while also reducing the number of people that are qualified to attack, as the software layer continues to move.
As an example, the military for decades has utilized frequency hopping radios, a technique that rapidly transmits radio signals by switching carriers between a number of frequency channels. If a defender knows what frequency that an adversary is using, they can put out so much noise, or “jam” the frequency at any moment so that adversary has great difficulty penetrating through that noise.
- It reduces the need for threat detection. When defenders increase the difficulty of an attack, then that itself means that a security team doesn’t need to rely as much on threat detection solutions. That’s because when applying MTD, you zig when an attacker zags. As an analogy, think about a bank vault and its contents. Every night, the bank vault moves places within the bank, so robbers who attempt breaking-in would have a difficult time finding the vault. Similarly, changing the location of the attack surface makes it very difficult for attackers to strike, again shifting the power to defenders, while also lessening the burden on over-extended security teams.
- It’s a ‘scalable’ security solution. As more controllers, servers, remote terminals, monitoring equipment and sensors are tied to the internet, the cyberattack surface increases exponentially, creating unprecedented vulnerabilities and threats that require additional resources to remediate. Because MTD makes an attack surface dynamic, it naturally decreases in size because of its constant movement, creating more efficiencies in security at scale.
While these are all clear benefits of implementing an MTD strategy, it has to be noted that for MTD to work, the concept must be implementable. Specifically, it has to fit within the existing architectural infrastructure; have a near zero impact on the administrative behavior of the enterprise; be easy to “turn on”; and require minimal customized knowledge. MTD must result in a net positive shift in security because if an attack surface is reduced, but requires leaving a back door open, then it is ineffective because attackers can still get in.
To elaborate, let’s revisit the radio jamming example. Frequency hopping does not solve the underlying reliance on the RF spectrum to provide transport for the frequencies, so vulnerabilities remain. The point is that frequency hopping radios have provided decades of RF security, even with the risks and inherent vulnerabilities. It isn’t perfect, but it works, and the same can be said for MTD.
MTD is imperfect, but gives defenders an unprecedented edge against attackers
Make no mistake, MTD is not perfect and it operates on the assumption that attacks will still happen. But by taking a pragmatic approach to MTD and understanding that it makes a defender a more difficult target, reduces the need for threat detection and makes security more scalable, it’s clear that the benefits outweigh the cons of implementing it as part of the broader cybersecurity strategy. Even in environments that are likely to be compromised, MTD gives defenders an advantage that simply wasn’t possible to obtain just a short time ago.Doug Britton is Chief Technology Officer at RunSafe Security
